Sampei Nihira

Level 6
Verified
In some sites, blocking just one fingerprint technique just break the whole site pages, so useless to even try in the first place.
Scripblockers are meant to block scripts in low-reputation/suspicious sites.


i beg to differ on this particular point, if you visit a malicious page, the first attack is just a malicious script injecting code in your browser/memory or upload a malicious file in your system.
Modern Threat Actors don't waste time and resources studying each visitor system unless the in rare case they target a particular individual or small group. Today, they work by batch to maximize revenues and minimize time and resource cost.
Hackers won't try anymore to break through your router and firewall doing the good'ol historical ping and portscan with Netcat and Nmap or whatever technique it was in the 80-90's.
Data Entry/Spear Phishing, Social Engineering, malicious link redirection, weaponized emails; those are modern hacker attack vectors and way faster and easier.

Fingerprinting isnt a method widely used by threat actors but mostly by marketers.
It is assumed that users know how to use withelists and in the case of Scriptsafe also the temporary disabling of the extension.
2 operations also for me who don't like to use Chrome with a unique simplicity.
With regard to the next answer, just one example:

Gather initial system fingerprint
Once the malware has created the named mutex, it attempts to gather an initial fingerprint of the system to identify the system. This information is then sent to the operating C2 to fingerprint the system to decide which commands to send next.

Sysinfo gathered by the RAT:

  • Computer Name.
  • Current User Account Name.
  • Windows operating system (OS) version in the form of a textual representation:
    • XP
    • XP SP2
    • Vista
    • 7
    • 8
    • 8.1
    • 10
  • OS bitness i.e.
    • 64 bits
    • 32 bits

  • Directory & File Check: A unique feature of the RAT is that it looks for the presence of a specific directory and all files residing inside it. The directory path (folderpath) is hardcoded in the RAT: C:\ProgramData\System\Dump.
    If this directory is present on the infected system then the RAT sends the keyword "Yes" to its C2 and "No" otherwise.
  • Another hard coded value from the implant "5.2" is sent to the C2. (May indicate version number of the implant)


The sysinfo gathered by the implant is then put together as a single string with the character ">" used as a delimiter.

Format used:

(_variable_ = used for depicting a variable value)

_ComputerName_>_UserName_>Windows _version-string_>_implant-name-on-disk_>_OS-bitness_>_Dump_dir_files_exist_>_hardcoded_implant_version_number_>

E.g.

DESKTOP-SCOTTPC>jon>Windows 10>sgrmbrokr>64 bits>Yes>5.2>

Although the implant gathers the system information initially, it only sends this information out if it receives a specific command code from the C2. The implant also performs anti-infection checks before it fully activates itself on the endpoint.

Anti-Infection Checks
Another interesting feature in the implant is that after it gathers the preliminary system information for fingerprinting, it performs a series of checks against the user and computer name it has obtained to identify an endpoint or user account it must avoid its execution on/for. If any of the values from its blacklist match the current user/computer name, it simply stops its execution.
 
F

ForgottenSeer 823865

It is assumed that users know how to use withelists and in the case of Scriptsafe also the temporary disabling of the extension.
2 operations also for me who don't like to use Chrome with a unique simplicity.
With regard to the next answer, just one example:
I use Scripsafe, and i can tell you, blocking some scripts (like Google API) in some sites prevent me to even log in it...

we have to distinguish "sites fingerprinting" from active malware in a compromised system "fingerprinting" , those are different kind.
The malware case is more a system check to maximize penetration and obfuscation rather than collect various datas, and is only possible once the malware is in the system unlike "site fingerprinting" who jut need you to connect to the site.

We have to be clear because some members/visitors who haven't our technical/semantic bagages may easily mistaken the meaning of our posts.
 

Sampei Nihira

Level 6
Verified
I personally use Scriptsafe in Chrome only for Fingerprinting protection which, moreover, is not complete because 2 components escape its protection.(y);)
I use UBO to block other scripts.
If you make use of these extensions it is a pity not to take advantage of its possibilities.
 

Cortex

Level 17
Verified
eBay recently sends me a CAPTCA to sign in & Amazon always sends a code to my email, very slightly inconvenient but none of the sites seem to know much about me when not signed in - Using Adguard & IVPN anti-tracker, seems to work as much as I want it too.
 
F

ForgottenSeer 823865

I personally use Scriptsafe in Chrome only for Fingerprinting protection which, moreover, is not complete because 2 components escape its protection.(y);)
I use UBO to block other scripts.
If you make use of these extensions it is a pity not to take advantage of its possibilities.
As i said above, i use SS with almost all features enabled (in the fingerprinting and privacy tabs), but especially the anti-script capabilities which are the most importants to me. However those are general blockers, and often you have to disable some of them (aka whitelist the site for a particular block) to even be able to use the site.
 
Last edited by a moderator:

Sampei Nihira

Level 6
Verified
In the comments of the article below, an anonymous asks about Localstorage monitoring:


Although your unique ID may be detected along with Tab Name monitoring, disabling it causes several problems.
Not to mention that the problem does not exist in the event of a general block of scripts.

You have to worry about privacy enough, you don't have to go further than paranoia.;):)

I insert a test that highlights the above:

 

crezz

Level 6
Verified
Easy to check, just post what specific backpack you were searching on eBay and I can by doing a similar search explicitly mentioning that brand.
I am searching ebay.co.uk (not ebay.com) for "Vango Planet". It is mostly sleeping bags that are listed- but its the backpack of the same brand that I am looking for.

There are two "related searches" listed at the bottom of my search results. One is Nokia 3310, I won't say what the other is. Can other people see this as well ? It doesn't happen on Windows, I've only noticed it on iOS.
 

Sampei Nihira

Level 6
Verified
Usually, it doesn't always mean:;)



MB's blog is littered with articles like the ones above.
Read also this which is very interesting:

 
F

ForgottenSeer 823865

@Sampei Nihira you just confirmed what I said, malvertising is just marketing using devious means, not even needing using malware.
Real cybercriminals, I mean those aiming for trade secrets, sensitive datas and other financial gains, don't care much of fingerprinting the user. They don't have to. They have more direct and efficient ways.
 

Slyguy

Level 43
I normally search for items on ebay using my PC. I browse behind a VPN, signed out of ebay, and set my browser to delete cookies and site data upon exit. Recently, I have been searching for three particular items- a specific brand of camping backpack, a 1980s retro computer and a Nokia 3310 phone.
Sounds like someone is building a private bug out kit? I know a few guys going back to old Nokia dumb phones actually, but the retro computer, which is largely going to be unhackable is another method. Also, utilizing of bulletin board systems (BBS) for underground communications completely flies under the radar of modern intelligence systems. (and the AI doesn't even know how to parse it)

Anyway, there are tons of methods to track people beyond the normal. Even IPv6 on your NIC, WiFi identifiers, Battery level on devices, etc. Right now, some of these companies are so utterly effective at tracking that if you don't use a disposable boot OS on a special hotspot, they'll be able to pin you down.
 

crezz

Level 6
Verified
I'm not particularly worried about being tracked by nation state security agencies. I just assume that anything I do on a computer can be seen by those people !

However, I'd like to hide myself from from private businesses or criminals as far as possible. At least make things difficult for them.

I'd still be interested to know if anyone can tell me the model of retro computer I have been searching for, based on the information I have already provided above.
 

Sampei Nihira

Level 6
Verified
I'm not particularly worried about being tracked by nation state security agencies. I just assume that anything I do on a computer can be seen by those people !

However, I'd like to hide myself from from private businesses or criminals as far as possible. At least make things difficult for them.

I'd still be interested to know if anyone can tell me the model of retro computer I have been searching for, based on the information I have already provided above.
There is a flaw of privacy in your devices.
If it is in the PC or smartphone, only you know what is the most likely option.
I would tend to say that it is in the smartphone.